The Complete HIPAA Compliance Checklist for Medical Practices

HIPAA compliance isn't optional—it's a legal requirement that protects both your patients and your practice. Yet many medical practices operate with significant compliance gaps, often without realizing it.

This checklist covers the administrative, physical, and technical safeguards required under the HIPAA Security Rule. Use it to identify gaps in your current compliance posture.

Administrative Safeguards

These are the policies, procedures, and documentation that form the foundation of HIPAA compliance.

✅ 1. Security Risk Assessment

A formal, documented risk assessment identifying potential threats to PHI.

Requirement: Annual assessment (at minimum), plus after significant changes.

Why it matters: This is the foundational HIPAA requirement. Without it, you cannot claim compliance.

✅ 2. Risk Management Plan

Documented plan addressing risks identified in your assessment.

Requirement: Prioritized remediation with timelines and responsible parties.

✅ 3. Information Security Policies

Written policies covering PHI handling, access, transmission, and disposal.

Key policies needed:

• Acceptable use policy
• Access control policy
• Password policy
• Incident response policy
• Data retention and disposal policy

✅ 4. Security Officer Designation

Named individual responsible for security policy development and compliance.

Requirement: Documented designation with defined responsibilities.

✅ 5. Privacy Officer Designation

Named individual responsible for privacy policy and patient rights.

Note: Can be the same person as Security Officer in small practices.

✅ 6. Workforce Training

All employees trained on HIPAA requirements and practice policies.

Requirement: Training upon hire, annual refreshers, documentation of completion.

✅ 7. Sanction Policy

Documented consequences for policy violations.

Requirement: Clear escalation from warning to termination.

✅ 8. Business Associate Agreements

Signed BAAs with all vendors who access PHI.

Common business associates:

• EHR vendors
• Billing services
• IT providers
• Cloud storage providers
• Shredding services
• Answering services

✅ 9. Incident Response Procedures

Documented procedures for responding to security incidents and breaches.

Must include:

• Detection and reporting procedures
• Investigation process
• Breach notification requirements (60-day rule)
• Documentation requirements

✅ 10. Contingency Plan

Documented plan for maintaining operations during emergencies.

Components:

• Data backup plan
• Disaster recovery plan
• Emergency mode operations

Physical Safeguards

Controls over physical access to facilities and equipment containing PHI.

✅ 11. Facility Access Controls

Policies and procedures limiting physical access to areas containing PHI.

Consider:

• Badge access systems
• Visitor logs
• Escort requirements
• After-hours security

✅ 12. Workstation Use Policy

Policies specifying proper workstation use and physical attributes.

Include:

• Screen positioning (away from public view)
• Automatic screen locks
• Clean desk policy
• Restricted areas for workstations with PHI access

✅ 13. Workstation Security

Physical safeguards for workstations accessing PHI.

Consider:

• Cable locks for laptops
• Secured mounting for desktops
• Privacy screens in public areas

✅ 14. Device and Media Controls

Procedures for hardware and electronic media containing PHI.

Must address:

• Disposal (certified destruction)
• Re-use (complete data wiping)
• Accountability (tracking who has what)
• Data backup and storage

✅ 15. Server Room Security

Physical protection for servers and network equipment.

Requirements:

• Locked room with restricted access
• Access logging
• Environmental controls (temperature, humidity)
• Fire suppression appropriate for electronics

Technical Safeguards

The technology and related policies protecting PHI.

✅ 16. Unique User Identification

Every user has their own unique identifier for system access.

Requirement: No shared accounts. Ever.

✅ 17. Emergency Access Procedures

Mechanisms to access PHI during emergencies when normal procedures aren't available.

Document: Who can authorize, under what circumstances, how it's logged.

✅ 18. Automatic Logoff

Systems automatically log off after period of inactivity.

Recommendation: 15 minutes or less for workstations with PHI access.

✅ 19. Encryption

PHI encrypted at rest and in transit.

At rest:

• Full-disk encryption on all devices
• Database encryption
• Backup encryption

In transit:

• TLS for all network communications
• Encrypted email for PHI transmission
• VPN for remote access

✅ 20. Audit Controls

Systems recording and examining access to PHI.

Must log:

• Who accessed what
• When access occurred
• What actions were taken
• Failed access attempts

✅ 21. Access Controls

Technical policies limiting PHI access to authorized persons.

Implement:

• Role-based access (minimum necessary)
• Access request and approval process
• Regular access reviews (quarterly recommended)

✅ 22. Authentication

Verification that persons seeking access are who they claim to be.

Requirements:

• Strong password policy
• Multi-factor authentication (strongly recommended)
• Account lockout after failed attempts

✅ 23. Transmission Security

Protection against unauthorized access to PHI during transmission.

Implement:

• Encrypted connections (HTTPS, TLS)
• Secure email solutions
• Encrypted file transfer

✅ 24. Integrity Controls

Mechanisms to ensure PHI hasn't been improperly altered or destroyed.

Consider:

• Checksums for data integrity
• Version control
• Change logging

✅ 25. Malware Protection

Software protecting against malicious software.

Requirements:

• Modern endpoint protection (not just antivirus)
• Regular updates
• Central management and monitoring

Backup and Recovery

✅ 26. Regular Backups

PHI backed up regularly with encryption.

Recommendations:

• Daily backups (at minimum)
• Multiple backup copies
• Offsite/cloud storage

✅ 27. Air-Gapped Backups

At least one backup copy that ransomware cannot reach.

Why it matters: Modern ransomware targets backups first. Offline copies survive.

✅ 28. Tested Recovery

Backup restoration tested and documented.

Requirement: Test quarterly, document results.

Documentation and Ongoing Compliance

✅ 29. Policy Documentation

All policies documented, dated, and retained for six years.

Maintain:

• Current versions accessible to workforce
• Historical versions retained
• Version control with change tracking

✅ 30. Regular Reviews

Scheduled reviews of all security measures.

Frequency:

• Risk assessment: Annual
• Policies: Annual
• Access reviews: Quarterly
• Training: Annual with updates as needed

How Did You Score?

25-30 checks: Strong compliance foundation. Focus on ongoing maintenance.

18-24 checks: Gaps exist. Prioritize missing administrative and technical controls.

12-17 checks: Significant compliance risk. Immediate attention needed.

Under 12 checks: High risk of audit findings and potential breach. Consider engaging compliance expertise immediately.

The Reality of HIPAA Enforcement

HIPAA penalties have increased significantly in recent years:

• Minimum penalty: $137 per violation (unknowing)
• Maximum penalty: $2,067,813 per violation category per year
• Criminal penalties: Up to $250,000 and 10 years imprisonment for intentional violations

Beyond fines, breaches require notification to affected patients, HHS, and potentially media—causing lasting reputation damage.

Getting Help with HIPAA Compliance

HIPAA compliance requires ongoing attention and expertise. Most medical practices don't have staff dedicated to information security—nor should they need to.

For 30 years, Layth Solutions has been helping NYC medical practices achieve and maintain HIPAA compliance. We handle the technical complexity so you can focus on patient care.

Request a confidential HIPAA readiness assessment to identify your compliance gaps and understand what it would take to achieve audit-ready status.